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SYSTEM, METHOD AND COMPUTER 
PROGRAM PRODUCT FOR SEARCHING 

FOR, AND RETRIEVING, PROFILE 
ATTRIBUTES BASED ON OTHER TARGET 
PROFILE ATTRIBUTES AND ASSOCIATED 5 
PROFILES 

BACKGROUND OF THE INVENTION 

The present invention relates, in general, to the field of 30 
computer systems and methods for implementing the same. 
More particularly, the present invention relates to a system, 
method and computer program product for searching for, 
and retrieving, profile (or directory) attributes based on other 
attributes of the target profile and that of associated profiles. 15 

Computer systems including business systems, entertain- 
ment systems, and personal communication systems are 
increasingly implemented as distributed software systems. 
These systems are alternatively referred to as "enterprise 
networks" and "enterprise computing systems". These sys- 20 
terns include application code and data that are distributed 
among a variety of data structures, data processor systems, 
storage devices and physical locations. They are intended to 
serve a geographically diverse and mobile set of users. This 
environment is complicated because system users move 25 
about the distributed system, using different software appli- 
cations to access and process data, different hardware to 
perform their work, and often different physical locations to 
work from. These trends create a difficult problem in pro- 
viding a secure yet consistent environment for the users. 30 

In general, distributed computing systems must scale 
well. This means that the system architecture desirably 
adapts to more users, more applications, more data, and 
more geographical distribution of the users, applications, 35 
and data. The cost in money and time to switch over a 
network architecture that is adapted to a smaller business to 
one suited for a larger business is often prohibitive. 

A conventional computing system uses a client/server 
model implemented on a local area network ("LAN"). In 40 
such systems powerful server computers (e.g., application 
servers and file servers) are used to process and access data. 
The requested data is then transmitted to the client computer 
for further processing. To scale to larger networks, multiple 
LANs may be inter-networked using, for example, leased 45 
data lines to create a wide area network ("WAN"). The 
equipment required to implement a WAN is expensive and 
difficult to administer. Also, as networks become larger to 
include multiple LANs and multiple servers on each LAN it 
becomes increasingly difficult to find resources (i.e., files, 50 
applications, and users) on any one of the LANs, 

As computing power continues to become less expensive, 
clients tend to process and store their own data, using the 
server primarily as file servers for sharing data with other 
client computers. Each software application running on the 55 
client, or the client's operating system ("OS") may save 
client specific configuration data that is used by the client to 
fine-tune and define the user's software environment at 
runtime. 

As used herein, the term "profile information" refers to 60 
any information or metadata used by a particular piece of 
hardware, software application, or operating system to con- 
figure a computer. The profile information may be associated 
with a particular application or group of applications, a 
particular hardware device or group of devices, as well as a 65 
particular user or group of users. Some operating systems 
store user profile information that is used during boot 
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operations application start-up to tailor a limited number of 
the system characteristics to a particular machine user. 
However, this profile information is closely tied to a single 
machine and operating system. As a result, the profile 
information is not useful to a new user the first time that user 
logs onto a particular machine. Moreover, this information 
is not available to remote users that are accessing the 
LAN/WAN using remote access mechanisms. 

Existing mechanisms tend to focus on a single type of 
profile information — user information, application informa- 
tion or hardware information. Also, because these mecha- 
nisms are very application specific they limit the number and 
type of attributes that can be retained. Further, the profile 
information is isolated and fails to indicate any hierarchical 
or relational order to the attributes. For example, it may be 
desirable that a user group is required to store all files 
created using a particular application suite to a specific file 
server. Existing systems, if such a service is available at all, 
must duplicate profile information in each application pro- 
gram merely to implement the required file storage location 
preference. Storage location direction based on a user-by- 
user or user group basis is difficult to implement and may in 
fact require a shell application running on top of the appli- 
cation suite. Even then, the system is not extensible to 
access, retrieve, and use profile information for a new user 
that has not used a particular machine before. 

As in the example above, existing systems for storing 
configuration information lead to duplicative information 
stored in many locations. Each application stores a copy of 
its own configuration information, as does each hardware 
device and each user. Much of this information is identical. 
It is difficult to maintain consistency among these many 
copies in distributed data environments. For example, when 
the specified file storage location changes, each copy of the 
configuration information must be changed. The user or 
system administrator must manually track the location and 
content of each configuration file. An example of the inef- 
ficiencies of these types of systems is found in the Windows 
95 registry file that holds profile information but has an 
acknowledged tendency to bloat over time with duplicative 
and unused data. Moreover, the registry file in such systems 
is so closely tied to a particular machine and instance of an 
operating system that it cannot be remotely accessed and 
used to configure other computers or devices. Hence, these 
systems are not generally extensible to manage multiple 
types of profile information using a single mechanism. A 
need therefore, exists for profile information that is readily 
accessible to all machines coupled to a network and to 
machines accessing the network through remote access 
mechanisms. 

Peer-to-peer type networks are an evolutionary change to 
client/server systems. In a peer-to-peer network each com- 
puter on the LAN/WAN can act as a server for applications 
or data stored on that machine. A peer-to-peer network does 
not require, but is able to, run alongside a client/server 
system. Peer-to-peer architectures offer a potential of 
reduced complexity by eliminating the server and efficient 
use of resources available in modem client and workstation 
class computers. However, peer-to-peer networks remain 
dependent on a secure, closed network connection to imple- 
ment the LAN/WAN which is difficult to scale upwardly. 

Peer-to-peer solutions also do not scale well because as 
the network becomes larger it becomes increasingly difficult 
to identify which peer contains the applications and data 
needed by another peer. Moreover, security becomes more 
difficult to manage because the tasks of authorizing and 
authenticating users is distributed among the peer group 
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rather than in a centralized entity. A need exists for a system security policies, and the like. Further still, individual appli- 
and method that enables a peer-to-peer architecture to scale cations may own profile information describing that appli- 
without reduced performance, ease of use, and security. cation's configuration operations. In an environment where 
Another complicating influence is that networks are any entity can change the information contained in any 
becoming increasingly heterogeneous on many fronts. Net- 5 profile that it owns at any time, it quickly becomes an 
work users, software, hardware, and geographic boundaries intractable problem to maintain consistency among multiple 
are continuously changing and becoming more varied. For replicas. A need exists for a system and methods for main- 
example, a single computer may have multiple users, each of taining profile i n f orma tion owned by a diverse set of entities 
which work more efficiently if the computer is configured to m a highly available man ner. 

meet their needs. Conversely, a single user may access a iri „ , , . . . , 

1 1 , ■ 1 1 • u i * 1U From a network user s perspective these limitations boil 

network using multiple devices such as a workstation, a . ^ 

„ U1 t u j u ij . * t t . down to a need to manually configure a given computer to 

mobile computer, a hand-held computer, or a data appliance iL , • . V- 

, 11 1 u »u i-i a c 1 provide the user s desire computing environment. From a 

such as a cellular phone or the like. A user may, for example, v , . . ? . . , 

11 1? j %• 4 ■ 4 -i f-, remote user s perspective these limitations require the user 

use a full featured e-mail application to access e-mail while . n r.. 

working fiom a workstation but prefer a more compact „ ,0 . reconfigure the remote access computer to 

v 7. 4l _ 1.1 1 j l 1 j mimic the desired computing environment or tolerate the 

application to access the same data when using a hand-held . r . , to . , , . , , 

. 11 1 u 1 u ^ t generic environment provided by default by the remote 

computer or cellular phone. In each case, the network to „ * 1 j • • * * , 

j ■ 11 1 t . .1 I , .... ... . . , access server. From a network administrator s perspective, 

desirably adapts to the changed conditions with minimal . - . r r > 

user intervention these complications require software and operating systems 

, to be custom configured upon installation to provide the 

In order to support mobile users, the client/server or 9n *••-!•¥ u *t *■ a 

*\ t . . * ' 20 desired computmg envu-onment. In each case, the time and 

peer-to-peer network had to provide a gateway for remote effoft coasaaKd sim , t0 , and is a si 

access. Typically this was provided by a remote access nificant ^ diment t0 efficient ^ of the distri t uted cor ^. 

server coupled to a modem. Remote users would dial up the m environment. What is needed is a system that readily 

modem, comply with authorization/authenucaUon proce- ad tQ a chm ^ het erogeneous needs of a distributed 

dures enforced by the server, then gain access to the net- ?c Mf „ rrtr .i r „ 

, . . J , , ' , & ... network computing environment, 

work. In operation the mobile user s machine becomes like . . . „ . 

a "dumb terminal" that displays information provided to it Jt °" e 50 utlon t0 the P roblem of find,n S ^sources in a 
over the dial-up connection, but does not itself process data. distributed system is to use directories. Directories are data 
For example, a word processing program is actually execut- structures that hold information such as mail address book 
ing on the remote access server, and the remote user's 30 f 10G > P nnter Canons, public key infrastructure 
machine merely displays a copy of the graphical user ( PIG > "fonnaton, and the like. Because of the range of 
interface to the remote user. The remote user is forced to use ^lions and different needs of driving applications, most 
the configuration settings and computing environment conizations end up with many different, disparate direc- 
implemented by the remote access server. A need therefore, tones ' directories do not interact with each other and 
exists for a method and system for remote access that 35 so contam du P llcatlv e information and are difficult to con- 
enables the remote user to process data on the remote sistently maintain. 

machine without being confined to using configuration set- Meta-directories are a solution that provides directory 

tings imposed by a remote access server. integration to unify and centrally manage disparate directo- 

There is increasing interest in remote access systems that ries an e ° ter prise. A meta-directory product is 

enable a user to access a LAN/WAN using a public, gener- 40 mtended t0 provide seamless integration of the multiple 

ally insecure, communication channels such as the Internet. disparate directories. However, existing solutions fall short 

Further, there is interest in enabling LANs to be inter- of thls ^'^^ integration because the problems to be 

networked using public communication channels. This is solved in Rectory integration are complex. Meta-directory 

desirable because the network administrator can provide a solutions are not sufficiently extensible to account for the 

single high speed gateway to the Internet rather than a 45 wide variety of resources available on a network. In the past, 

remote server/modem combination for each user and expen- meta-directory technology has not been used to catalog 

sive WAN communication lines. The Internet gateway can metadata of sufficiently general nature to meet the needs of 

use leased lines to access the Internet rather than more costly a dynamically growing and changing distributed computing 

business phone lines. Also, the Internet gateway can be environment. 

shared among a variety of applications and so the cost is not 50 X.500 is one current model for managing on-line direc- 

dedicated solely to providing remote access or wide area tories °f users and resources (Directory Services) that 

networking. The reduction in hardware cost and recurrent includes the overall namespace as well as the protocol for 

phone line charges would be significant if remote users querying and updating it. An X.500 directory is called a 

could access the LAN/WAN in this manner. Directory Information Base ("DIB") and the program that 

In an enterprise system it is critical that distributed 55 maintains the DIBs is called a Directory Server Agent 

resources remain available. Access to profile information is ("DSA"). A Directory Client Agent ("DCA") is used to 

often prefatory to using a particular system or software search DSA sites for names and addresses, 

application for meaningful work. High availability is accom- The protocol generally used in conjunction with X.500 is 

plished in most instances by replicating critical resources the "DAP" (Directory Access Protocol) and it operates over 

and managing the replicas so that they remain consistent. 60 the OSI (Open System Interconnection) network protocol 

Replication leads to difficulties in keeping the replicas stack. Due to the fact that a full DAP client is difficult to 

consistent with each other. This is particularly true for implement on smaller computer systems, the LDAP, 

profile type information that may be controlled by or owned (Lightweight Directory Access Protocol) was developed, 

by a variety of entities. For example, a user may own profile Like X.500, LDAP is both an information model and a 

information related to that user's preferences, passwords, 65 protocol for querying and manipulating it and the overall 

and the like. However, a workgroup administrator may own data and namespace model is essentially that of X.500. A 

profile information related to group membership, group fundamental difference between DAP and LDAP is that the 
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latter protocol is designed to run directly over the TCP/IP become more apparent and the invention itself will be best 

(Transmission Control Protocol/Internet Protocol) stack, and understood by reference to the following description of a 

it lacks some of the DAP protocol functions such as security. preferred embodiment taken in conjunction with the accom- 

In operation, LDAP enables a user to locate organizations, panying drawings, wherein: 

individuals, and other resources such as files and devices in 5 FIG. 1 illustrates a representational network computing 

a network, whether on the Internet or on a corporate intranet. system and operating environment for performing the com- 

In a network, a directory is used to indicate where in the puter implemented steps of a method in accordance with the 

network something is located. On TCP/IP networks present invention; 

(including the Internet), the Domain Name System ("DNS") FIG. 2 illustrates a more specific network architecture in 

is the directory system used to relate the domain name to a 10 which in which the present invention may be employed; 

specific network address or unique location on the network. pjQ. 3 illustrates a representative profile service search in 

If the domain name is not known, LDAP allows a user to accordance with the present invention presenting a series of 

initiate a search for, for example, an individual without three possible queries and the resultant matches; and 

knowing exactly where he is located Simply stated, an FIG. 4 illustrates a representative profile service search 

LDAP directory is organized in a simple tree hierarchy « ss ^ ^ aQ embodiment of the m 

and may consist, for example, of the following levels: invention 
The "Root" directory (the starting place or the source of 

the tree), which branches out to DESCRIPTION OF A PREFERRED 

Countries, each of which branches out to 2Q EMBODIMENT 

Organizations, which branch out to wi to reference now to FIG. 1, the present invention is 

Organizational units (divisions, departments, and so illustrated and described in terms of a distributed computing 

forth), which branches out to (includes an entry for) environment such as an enterprise computing system using 

_ , , „, t , , public communication channels such as the Internet, 

Individuals (which includes people, files, and shared Howevef( an ^ fcature of ^ iDveatk)n ig 

resources such as printers) =An LDAP directory can be 25 ^ ft ^ ^ ^ and downward , t0 meet 

distributed among many servers, and each server can , he needs of a articular app i icalion . Accordingly, unless 

have a replicated vers.on of the total d,rectory that ,s ifled tQ the m ^ , janB&M ^ licable 

synchronized periodically. When an LDAP server t0 signincant i y i arger> more co^^ QetW ork environments 

receives a request from a user, it takes responsibility for as we „ as smal , netwofk environments such ^ co^^ 

the request, passing it to other DSAs as necessary, but 3° ^ ^ {ULAfr) ms 

nevertheless ensuring a single coordinated response for ¥ . , , . . • i, . 

the user contemplated that the present invention will be 

r-pt ' . t t-x i r> t ,. t , . nrp /n particularly useful in environments that require a data struc- 

The current LDAP protocol is specified in RFCs (Request *_ . < . , . 

- r> „ v - -m j 1 -7-To u *i *u . * * ture that is quickly searched and where the data is suited to 

For Comments) 1777 and 1778 while the string representa- , . , . ^ , <• . 

tion of LDAP search filters is specified in RFC 2254. 35 <| hierarchical representation. Also, the system of the pre- 

ferred implementation is designed to store and make avail- 

SUMMARY OF THE INVENTION aD * e relatively compact units of data that serve to configure 

(i.e. startup, return decisions, shutdown) devices and com- 

Disclosed herein is a system and method for searching for puter environments rather than operational or analytical data 

and retrieving profile attributes based on other attributes of ^ upon which the computer environment may operate at 

the target profile and that of associated profiles. The present runtime. Hence, the present invention is particularly advan- 

invention advantageously enhances the LDAP RFC 2254 tageously used when it stores and retrieves data that is 

search mechanism to base results not only on the attributes frequently searched and retrieved, but infrequently changed 

of a specific profile (or directory) but also on related profiles although it may also be used in conjunction with data that is 

(or directories). 45 frequently changed as well. 

The LDAP RFC 2254 string search syntax may be utilized FIG> x shows an exe mpl ar y computing environment 100 

but it is enhanced and extended in that the profile search in whicn the prese nt invention may be implemented, 

mechanism herein disclosed allows multiple related search Essentially, a number of computing devices and groups of 

filters to be specified at one lime. The top most filter is used devices are interconnected through a network 101. For 

to retrieve results and the succeeding filters are used to 5Q example, a LAN 102 and a LAN 103 are each coupled to 

determine if a specific profile should even be considered. network 101 through gateway machines 104 and 105 respec- 

Particularly disclosed herein is a method and a computer tively. LANs 102 and 103 may be implemented using any 

program product for searching directories in a computer available topology such as a hub and spoke topology of LAN 

system comprising the steps of specifying a sequence of 102 and a loop topology of LAN 103. LANs 102 and 103 

query strings for the directories, applying each of the 55 may implement one or more server technologies including, 

sequence of query strings to the directories, determining for example a UNIX, Novell, Windows NT, Solaris™ (a 

candidate ones of the directories comprising matches to a trademark or registered trademark of Sun Microsystems, 

first of the sequence of query strings, iteratively applying Inc. in the United States or other countries) or peer-to-peer 

remaining ones of the sequence of query strings to the type network. Each network will include distributed storage 

candidate ones of the directories and returning a result set of so implemented in each device and typically includes some 

data representative of the candidate ones of said directories mass storage device coupled to or managed by a server 

having matched each of the specified sequence of query computer. Network 101 comprises, for example, a public 

strings. network such as the internet or another network mechanism 

such as a fibre channel fabric or conventional wide area 
65 network ("WAN") technologies. 

The aforementioned and other features and objects of the LAN 102 includes one or more workstations such as 

present invention and the manner of attaining them will personal computer ("PC") 106. LAN 102 also includes a 
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server machine 107 and one or more shared devices such as Core profile engine 201 responds to the client application 

printer 108. A hub or router 109 provides a physical con- requests by executing requested functions on virtual profile 

nection between the various devices in LAN 102. Router data store 205. Core profile engine 201 maintains a set of 

104 is coupled through gateway 109 to provide shared metadata about every attribute and binding for every profile, 

access to network 101. Gateway 109 may implement any 5 This metadata controls how the profile engine 201 makes the 

desired access and security protocols to manage access profile data available to client applications 202. This meta- 

between network 101 and devices coupled to network 102. data indudeS) but ^ not Umited t0) information regarding 

Similarly, network 103 comprises a collection of worksta- owner ideQlit read . write . modify permissions, group 

tions 111 112 and 113 that share a common connection to membership> tfmestamps, triggers, and the like, 

network 101 through gateway 105. r r && 

Distributed computing environment 100 further includes 10 Virtua * P«>file data store 205 may comprise a single data 

a wide variety of devices that have a logical connection to stora & e device ' but more often comprises a plurality of 

the network supported by a physical connection to network disparate, heterogeneous data storage devices. The specific 

101. For example, a stand alone workstation 114 may couple example of FIG. 2 includes a relational database 206, 

to network 101 through a modem or other suitable physical lightweight directory access protocol 207, flat data file 208, 

connection. Likewise, notebook computer 115 and palmtop 15 object oriented database 209, and X.500 directory 211. An 

computer 116 may connect to network 101 using known adapter 204 may also access another data application 210 

connection technologies. It is contemplated that a wide where the data application 210 provides an API compatible 

variety of devices may join the distributed network 100 with the adapter 204 and operates to access other local and 

including mobile phones, remote telemetry devices, infer- distributed data stores. In a particular implementation, 

mation appliances, and the like. An important feature of the 20 adapters) 204 comprise an adapter for each data store 

present invention is that it tolerates and adapts to an envi- device and/or protocol. Each adapter 204 includes an inter- 

ronment filled with heterogeneous hardware devices f ace to core profile engine 201 and a special purpose 

coupled to the network 101 from a variety of physical interface configured to the specific data store within virtual 

locations. dala store 2 05 that it is intended to access. Virtual data store 

Each of the devices shown in FIG. 1 may include memory, 25 205 includes a dynamically changing number of data store 

mass storage, and a degree of data processing capability dev ices as devices can be added, changed, and deleted by 

sufficient to manage their connection to network 101. The modifications to the associated adapter 204. 

computer program devices in accordance with the present , „ nn „ 

invention are implemented in the memory of the various . Wlth ^ fereDce additionally now to FIG. 3, a representa- 

devices shown in FIG. 1 and enabled by the data processing 30 tive P™^ serviw search 300 presenting a series of three 

capability of the devices shown in FIG. 1. In addition to P 0SS1 L ble 1™ (Q ™ *e resultant 

local memory and storage associated with each device, it is matches J ^ /hown. The search 300 and all queries are 

often desirable to provide one or more locations of shared mX f relativ 1 e t0 the search root 302 although a search 

storage such as disk farm 116 that provides mass storage ma y alternatively specify any profile as the search root, 

capacity beyond what an individual device can efficiently 35 In tne example shown, profile 304 (ep=user-epl) has the 

use and manage. Selected components of the present inven- attributes of type*=uscr and eid»epl; profile 306 (ep-user- 

tion may be stored in or implemented in shared mass storage e P 2 ) nas tne attributes of type-user and eid=ep2; profile 308 

such as disk farm 116. (ep=comp-ep3) has the attributes of type=user and eid=ep3 

The computer program product devices in accordance and P rofile 310 (ep=comp-ep4) has the attributes of type- 
with the present invention include elements that operate in 40 user and M =*P 4 ' Sub-profile 312 (pornographic) has the 
a server, a client or both. It is contemplated that elements attributes of type=demographic, zip=80000 and locale«gb 
may be stored remotely, delivered to a client system on whlle sub-profile 314 (p-demographic) has the attributes of 
demand by a server computer and executed partially and type-demographic zip«82000 and locale=gb. Further sub- 
completely by the server and client. Accordingly, the present P ro *L le 316 (P~ net ) has the attributes of type-net, email- 
invention is not limited by the method of distribution or 45 P™@*™-™™ and web-www.pw.com as shown, 
packaging that a particular application involves. In other Q uerv 1 specifies a search for "(type=user)" and "(& 
words, the present invention may be distributed as client- (type=demog^aphic)(zip»80000)) ,, }. This first query pro- 
only software devices, server-only software devices or as duces a match at profile 304 as shown since the attributes of 
system software that is distributed to both client and server profile 304 and sub-profile 312 match the specified criteria, 
devices. 50 Query 2 then specifies a search for "(&(type=demographic) 

With reference additionally now to FIG. 2, a more specific (zip=80020))"} which matches the attributes of sub-profile 

example of the present invention implemented in a gateway 314 - Q uerv 3 fina Uy specifies a search for "(type=user)" and 

or firewall server such as gateway 104 or gateway 105 in "(&0ype-net)(email~=sun))"} which also produces a match 

FIG. 1 is shown. The components implemented in a gateway at P rofiIe 3(W as shown since the attributes of profile 304 and 

machine include a core profile engine 201 that is accessed by 55 sub-profile 316 match the specified criteria, 

a client application 202 through a profile services applica- As can be seen the queries are executed from the search 

tion programming interface ("API") 203. API 203 provides root or can specify any profile as the search root. Specific 

an interface that enables client applications that have a attributes can be requested as a return value with access 

corresponding interface to send messages that enable the control being checked. If specific attributes are not 

application to send data and commands to request profile 60 requested, then the resource identification ("ID") of any 

services from core profile engine 201. In a particular imple- matching profiles is returned and access control is not 

mentation the profile services API 203 provides three basic checked. Multiple responses to queries are allowed although 

functions. First, the profile services API 203 provides "fac- a maximum response count may be specified, 

tory" methods for creating profiles. Second, the profile Unlike a conventional LDAP query as provided for in 

services API 203 provides search and retrieve methods for 65 RFC 2254, the system and method of the present invention 

accessing existing profiles. Third, the profile services API advantageously allows for the specification and execution of 

203 provides management utilities for denning schemas. a sequence, or series, of LDAP style query strings at one 
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time, with each of the query strings being utilized in a In contrast, the conventional LDAP search mechanism 

specific way to determine a match. While a conventional specified in RFC 2254 only allows the evaluation of a single 

LDAP search string can query only a single directory at a directory. 

time, the system and method of the present invention is 

operational to execute a first query of a sequence of queries 5 ^ P rofile service utllized m conjunction with the present 
to determine if one or more profiles matches the first query. invention supports two basic functional objects, profiles 
If one or matches are found, the results then are "candidates" themselves and a "profile manager". The profile manager 
for the next query of the series. Consequently, before any interface is alternatively referred to as the profile service 
results are reported back for the first query, the subsequent interface. Any logical interfaces described are not intended 
queries proceed further down a "tree" structure in relation- to be literal. Instead, they are intended to articulate the 
ship to further profiles relative to any candidate profiles fundamental functional operations that the service supports, 
matched initially to determine if they too match the subse- All implementations of the profile service desirably support 
quent query strings in the sequence of queries that has been these classes of functions. In addition, individual implemen- 
specified. tations may support additional methods that are not sup- 
As shown in the example of FIG. 3, the first query string 15 ported in all implementations to meet the needs of a par- 
of a sequence of strings in example Query 1 is executed to ticular application. 

find those profiles where the "type" is equal to "user". while there have been described above the principles of 

Profiles 304, 306, 308 and 310 are all candidates. Of these, t he present invention in conjunction with specific exemplary 

a match will be found only if their sub-profile has a "type" implementations it is to be clearly understood that the 

equal to "demographic" and the zipcode is equal to "80000". 2Q foregoing description is made only by way of example and 

The results of this first exemplary query then provides a not as a limitation to the scope of the invention. Particularly, 

match on profile 304 and not profiles 306, 308 and 310. j t ^ recognized that the teachings of the foregoing disclosure 

Query 2 illustrates that if a search had instead been will suggest other modifications to those persons skilled in 

performed for a match where the "type" is equal to "demo- the relevant art. Such modifications may involve other 

graphic" and the zipcode is equal to "82000", then sub- 2 s features which are already known per se and which may be 

profile 314 would have been matched. That sub-profile alone used instead of or in addition to features already described 

in the tree structure shown would be returned in this par- herein. Although claims have been formulated in this appli- 

ticular example although, of course, a search may actually cation to particular combinations of features, it should be 

return multiple matches. understood that the scope of the disclosure herein also 

Query 3 is an example of a sequence of query strings 30 includes any novel feature or any novel combination of 

which may be executed to find those profiles which first have features disclosed either explicitly or implicitly or any 

a "type" equal to "user" (profiles 304, 306, 308 and 310 are generalization or modification thereof which would be 

all candidates at this point) and a further sub-profile "type" apparent to persons skilled in the relevant art, whether or not 

equal to "net" and an electronic mail ("email") address such relates to the same invention as presently claimed in 

approximately equal to ("~=") "sun". The second query 35 any claim and whether or not it mitigates any or all of the 

string of the sequence specified in Query 3 then eliminates same technical problems as confronted by the present inven- 

profiles 308 and 310 as candidates because they have no tion. The applicants hereby reserve the right to formulate 

sub-profiles to provide a match. Sub-profile 314 then elimi- new claims to such features and/or combinations of such 

nates profile 306 due to the fact the second query string of features during the prosecution of the present application or 

the sequence specifies criteria on which there is no match. 40 of any further application derived therefrom. 

Consequently, because sub-profile 316 of candidate profile What is claimed is: 

304 provides a match on the second query string as well, a 1. a method for searching directories in a computer 

match is found on profile 304. A query only on the second system comprising; 

query string of example Query 3 (without the first query . c . c c , . 

\ . 3 - „t N ,, ... . . t_ specifying a sequence of query strings for said directories; 

string or (type=user) would have provided a match on 45 -1 j a 

sub-profile 316. =With reference additionally now to FIG. 4, applying each of said sequence of query strings to said 

an exemplary process flow 400 in accordance with the directories; 

system and method of the present invention is shown. The determining candidate ones of said directories comprising 

process 400 begins with the specification of a sequence of matches to a first of said sequence of query strings; 

query strings at step 402 as previously described. At step 404 50 iterative ly applying remaining ones of said sequence of 

the first of the sequence of query strings is executed and, if query strings to said candidate ones of said directories; 

results are found at decision step 406, they are placed in a and 

set of candidate profiles (or directories) at step 408. If no returning a result set of data representative of said can- 
results are returned at decision step 406, the process 400 didate ones of said directories havirjg mat ched each of 
ends. =At step 410, the next in the sequence of query strings 55 sa j d specified sequence of query strings, 
is executed on the set of candidates relative to each candi- 2 The method of claim j wherein said step of specifying 
date and, if results are found at decision step 412, the results ^ carr j ec j out by the step of: 

define a new set of candidates at step 414. Should no results . rnAn + 

. c . it _ Ann , ,r 4U - j / \ specifying LDAP compliant query strings, 

be found, the process 400 ends. If a third (or more) query * n*.' « c , . ~ * *\ ' A - 

. ' E,. . ... „ , fi \ , . J . 3. The method of claim 1 further comprising the step of: 

string is part of the sequence initially denned at step 402, at 60 

decision step 416 the process 400 iteratively applies steps caching said directories at a local storage device prior to 

410, 412, 414 and 416 until the last query string has been said ste P of applying- 

executed and the results are returned at step 418. 4 ; ^ method of claim 1 wherein said step of applying is 

The profile search mechanism of the present invention carried out b y the ste P s of: 

advantageously allows an arbitrary number of qualifying 65 determining a search root of said directories; and 

search filters to be specified. As such, the process of reduc- executing said sequence of query strings from said search 

ing the result set may continue based on the filters specified. root. 
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5. The method of claim 4 wherein said step of determining 
said search root is carried out by the step of: 

defining one of said directories as said search root. 

6. The method of claim 1 wherein said step of specifying 
said sequence of query strings further comprises the step of: 5 

requesting specific attributes of said result set as a return 
value. 

7. The method of claim 6 further comprising the step of: 
checking access control of a user specifying said sequence 

of query strings. 10 

8. The method of claim 1 wherein said step of returning 
said result set further comprises the step of: 

producing said data in the form of a resource identifica- 
tion of said result set. 

9. The method of claim 1 wherein said step of specifying 
said sequence of query strings further comprises the step of: 

defining a maximum response count for said result set. 

10. A computer program product comprising: 

a computer usable medium having computer readable 2 q 
code embodied therein for searching directories in a 
computer system comprising: 

computer readable program code devices configured to 
cause said computer to effect allowing for specifying 
a sequence of query strings for said directories; 25 

computer readable program code devices configured to 
cause said computer to effect apply each of said 
sequence of query strings to said directories; 

computer readable program code devices configured to 
cause said computer to effect determining candidate 30 
ones of said directories comprising matches to a first 
of said sequence of query strings; 

computer readable program code devices configured to 
cause said computer to effect iterative! y applying 
remaining ones of said sequence of query strings to 35 
said candidate ones of said directories; and 

computer readable program code devices configured to 
cause said computer to effect returning a result set of 
data representative of said candidate ones of said 
directories having matched each of said specified 40 
sequence of query strings. 

11. The computer program product of claim 10 wherein 
said computer readable program code devices configured to 
cause said computer to effect allowing for specifying is 
carried out by computer readable program code devices 45 
configured to cause said computer to effect allowing for 
specifying LDAP compliant query strings. 

12. The computer program product of claim 10 further 
comprising: 

computer readable program code devices configured to 50 
cause said computer to effect caching said directories at 
a local storage device. 

13. The computer program product of claim 10 wherein 
said computer readable program code devices configured to 
cause said computer to effect applying is carried out by: 55 

computer readable program code devices configured to 

cause said computer to effect determining a search root 

of said directories; and 
computer readable program code devices configured to 

cause said computer to effect executing said sequence 60 

of query strings from said search root. 

14. The computer program product of claim 13 wherein 
said computer readable program code devices configured to 
cause said computer to effect determining said search root is 
carried out by computer readable program code devices 65 
configured to cause said computer to effect defining one of 
said directories as said search root. 
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15. The computer program product of claim 10 wherein 
said computer readable program code devices configured to 
cause said computer to effect specifying said sequence of 
query strings further comprises: 

computer readable program code devices configured to 
cause said computer to effect requesting specific 
attributes of said result set as a return value. 

16. The computer program product of claim 15 further 
comprising: 

computer readable program code devices configured to 
cause said computer to effect checking access control 
of a user specifying said sequence of query strings. 

17. The computer program product of claim 10 wherein 
said computer readable program code devices configured to 
cause said computer to effect returning said result set further 
comprises: 

computer readable program code devices configured to 
cause said computer to effect producing said data in the 
form of a resource identification of said result set. 

18. The computer program product of claim 10 wherein 
said computer readable program code devices configured to 
cause said computer to effect allowing for specifying said 
sequence of query strings further comprises: 

computer readable program code devices configured to 
cause said computer to effect allowing for defining a 
maximum response count for said result set. 

19. A method for searching directories in a computer 
system comprising: 

providing for specifying a sequence of query strings for 

said directories; 
providing for applying each of said sequence of query 

strings to said directories; 
providing for determining candidate ones of said direc- 
tories comprising matches to a first of said sequence of 
query strings; 

providing for iteratively applying remaining ones of said 
sequence of query strings to said candidate ones of said 
directories; and 
providing for returning a result set of data representative 
of said candidate ones of said directories having 
matched each of said specified sequence of query 
strings. 

20. The method of claim 19 wherein said step of providing 
for specifying is carried out by the step of: 

providing for specifying LDAP compliant query strings. 

21. The method of claim 19 further comprising the step of: 
providing for caching said directories at a local storage 

device prior to said step of providing for applying. 

22. The method of claim 19 wherein said step of providing 
for applying is carried out by the steps of: 

providing for determining a search root of said directo- 
ries; and 

providing for executing said sequence of query strings 
from said search root. 

23. The method of claim 22 wherein said step of providing 
for determining said search root is carried out by the step of: 

providing for defining one of said directories as said 
search root. 

24. The method of claim 19 wherein said step of providing 
for specifying said sequence of query strings further com- 
prises the step of: 

providing for requesting specific attributes of said result 
set as a return value. 
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25. The method of claim 24 further comprising the step of: 30. The system of claim 28 further comprising: 
providing for checking access control of a user specifying means for caching said directories at a local storage 

said sequence of query strings. device prior to said step of applying. 

26. The method of claim 19 wherein said step of providing 31. The system of claim 28 wherein said means for 
for returning said result set further comprises the step of: 5 applying comprises: 

providing for producing said data in the form of a resource mea ns for determining a search root of said directories; 

identification of said result set. a nd 

27. The method of claim 19 wherein said step of providing means for execulin said s ce of q stri from 
for specifying said sequence of query strings further com- sa -^ root 

prises the step of: 32 ^ system of daim 31 wherein said means for 

providing for defining a maximum response count for said determining said search root comprises: 

result set. means for defining one of said directories as said search 

28. A system for searching directories in a computer rQOt 

system comprising: J5 33 ^ system of daim 2$ wherein said means for 

means for specifying a sequence of query strings for said specifying said sequence of query strings further comprises: 

directories; means for requesting specific attributes of said result set 

means for applying each of said sequence of query strings as a return value. 

to said directories; 34, The system of claim 33 further comprising: 

means for determining candidate ones of said directories 20 means for checking access control of a user specifying 

comprising matches to a first of said sequence of query sa i d sequence of query strings. 

strings; 35 The system of claim 28 wherein said means for 

means for iterative ly applying remaining ones of said returning said result set further comprises: 

sequence of query strings to said candidate ones of said means for producing said data in the form of a resource 

directories; and identification of said result set. 

means for returning a result set of data representative of 36. The system of claim 28 wherein said means for 

said candidate ones of said directories having matched specifying said sequence of query strings further comprises: 

each of said specified sequence of query strings. means for defining a maximum response count for said 

29. The system of claim 28 wherein said means for 3Q result set. 
specifying comprises: 

means for specifying LDAP compliant query strings. ***** 
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